具有冲突值的多个“X-Frame-Options”标头
[英]Multiple 'X-Frame-Options' headers with conflicting values
问题描述
Update: This works for IE but Chrome is still throwing this error. 
更新:这适用于IE但Chrome仍然会抛出此错误。 I am attempting to i-frame a site I own by another site I own. 我试图通过我拥有的另一个网站构建我拥有的网站。 Here is error message I am getting in the JS console on Chrome: 以下是我在Chrome上的JS控制台中收到的错误消息:
Multiple 'X-Frame-Options' headers with conflicting values ('AllowAll, SAMEORIGIN, AllowAll') encountered when loading 'http://subdomain.mysite.com:8080/Dir/'. Falling back to 'DENY'.
Refused to display 'http://subdomain.mysite.com:8080/Dir/' in a frame because it set 'X-Frame-Options' to 'AllowAll, SAMEORIGIN, AllowAll'.
I did a search for SAMEORIGIN everywhere I am not setting this ANYWHERE. 我在任何地方搜索了SAMEORIGIN,我没有设置任何地方。
The main site is www.mysite.com and the other site is subdomain.mysite.com. 主站点是www.mysite.com,另一个站点是subdomain.mysite.com。 Obviously same-origin policies keep me from doing this. 显然,同源政策使我无法做到这一点。 So i have set the X-Frame-Options header on my subdomain.mysite.com to "AllowAll". 所以我将subdomain.mysite.com上的X-Frame-Options标题设置为“AllowAll”。 On the begin-request method i have added this: 在开始请求方法我添加了这个:
HttpContext.Current.Response.Headers.Remove("X-Frame-Options");
HttpContext.Current.Response.AddHeader("X-Frame-Options", "AllowAll");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");
on the page level I have added this: 在页面级别我添加了这个:
<meta name="x-frame-options" content="allowall" />
In Javascript i have added this: 在Javascript中我添加了这个:
<script type="text/javascript">
document.domain = "mysite.com";
</script>
I am running out of things to try... Thank you in advance for your assistance. 我的事情已经不多了......请提前感谢您的帮助。
4 个解决方案
解决方案1
22 2014-06-05 08:58:24
In my case it was the anti-forgery token that was adding the header. 在我的情况下,正在添加标题的是防伪标记。 Adding this in Application_Start stopped it from adding it: 在Application_Start中添加它会阻止它添加它:
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
I then added the X-Frame-Options in the web.config as I needed the whole site to be in an IFrame. 然后我在web.config中添加了X-Frame-Options,因为我需要将整个站点放在IFrame中。
解决方案2
1 已采纳 2014-03-05 04:32:34
Turns out MVC4 adds the header by itself (unsolicited). 原来MVC4自己添加标题(未经请求)。 The only way to get around this was to explicitly remove the header. 解决这个问题的唯一方法是明确删除标题。
Response.Headers.Remove("X-Frame-Options");
There may be a way to convince MVC4 not to do this but it did not service in my scores of Google queries. 可能有一种方法可以说服MVC4不要这样做,但它并没有在我的Google查询中提供服务。
解决方案3
1 2014-08-28 09:09:49
Mike the Tike的答案还有一些细节,这是添加到global.asax.cs中的application_start方法,你需要using指令system.web.helpers
解决方案4
0 2014-03-05 01:36:52
IIS might be adding a second header after yours (you can see this by pressing F12 for Developer Tools in Chrome, attempt to load the page, then click Network, and right-click on the failed page to copy the response headers to have a look). IIS可能会在您的后面添加第二个标题(您可以通过在Chrome中按F12 for Developer Tools,尝试加载页面,然后单击“网络”,右键单击失败的页面以复制响应标题以查看)。
To stop IIS from adding the header: 要阻止IIS添加标头:
- Run IIS Manager 运行IIS管理器
- Select your website 选择您的网站
- Double click the HTTP Response Headers for the application (or on older IIS, right click on the website, click Properties, then HTTP Headers) 双击应用程序的HTTP响应标头(或在旧IIS上,右键单击网站,单击属性,然后单击HTTP标头)
- Then you can override or remove the extra header 然后,您可以覆盖或删除额外的标头
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.